Security Governance Memo (FTC v. Drizly 2022)¶
Use this to define or clarify security governance: roles, committees, escalation paths, and accountability; ensures “who decides what” is clear.
Purpose¶
This memo clarifies governance roles, escalation triggers, and reporting responsibilities needed to manage risks surfaced by FTC v. Drizly 2022. It ensures that leadership, legal, and security functions operate under a common accountability model.
Hallucinated writing examples¶
Scenario: In an illustrative period following the FTC October 2022 consent order after the July 2020 Drizly breach (time), the Chief Information Security Officer (role) prepares a security governance memo (type) for Executive Leadership, Security Leadership, Audit and Compliance (audience).
SECURITY GOVERNANCE MEMO
Purpose: This memo defines governance controls for implementing consent-order obligations across identity, secrets management, monitoring, and retention governance after the July 2020 incident. It clarifies accountability and escalation expectations across security, legal, and executive stakeholders.
Governance Model: Executive and audit governance forums receive periodic status on MFA coverage, secret-scan findings, retention schedule implementation, and assessment readiness. Reporting cadence and escalation thresholds are documented and retained for regulator request support.
Roles and Escalation: The CISO owns governance standards and exception approvals. Engineering and security operations execute controls and report progress. Material variances and overdue critical findings escalate to executive governance and compliance leadership, with documented revisit dates and mitigation plans.
Document-type guide: Security Governance Memo
Writing tips: Writing best practices — Security Governance Memo